--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -838,35 +838,16 @@ CertVerifier::VerifyCert(CERTCertificate
EndEntityOrCA::MustBeEndEntity,
KeyUsage::keyAgreement, // ECDH/DH
KeyPurposeId::id_kp_emailProtection,
CertPolicyId::anyPolicy, stapledOCSPResponse);
}
break;
}
- case certificateUsageObjectSigner: {
- NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching,
- mOCSPCache, pinArg, ocspGETConfig,
- mOCSPTimeoutSoft, mOCSPTimeoutHard,
- mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
- ValidityCheckingMode::CheckingOff,
- SHA1Mode::Allowed,
- NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr,
- nullptr);
- rv = BuildCertChain(trustDomain, certDER, time,
- EndEntityOrCA::MustBeEndEntity,
- KeyUsage::digitalSignature,
- KeyPurposeId::id_kp_codeSigning,
- CertPolicyId::anyPolicy, stapledOCSPResponse);
- break;
- }
-
default:
rv = Result::FATAL_ERROR_INVALID_ARGS;
}
if (rv != Success) {
return rv;
}
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -41,17 +41,16 @@ Fips140SlotDescription=FIPS 140 Cryptogr
# 32
InternalToken=Software Security Device
# End of size restriction.
VerifySSLClient=SSL Client Certificate
VerifySSLServer=SSL Server Certificate
VerifySSLCA=SSL Certificate Authority
VerifyEmailSigner=Email Signer Certificate
VerifyEmailRecip=Email Recipient Certificate
-VerifyObjSign=Object Signer
HighGrade=High Grade
MediumGrade=Medium Grade
# LOCALIZATION NOTE (nick_template): $1s is the common name from a cert (e.g. "Mozilla"), $2s is the CA name (e.g. VeriSign)
nick_template=%1$s’s %2$s ID
#These are the strings set for the ASN1 objects in a certificate.
CertDumpCertificate=Certificate
CertDumpVersion=Version
# LOCALIZATION NOTE (CertDumpVersionValue): %S is a version number (e.g. "3" in "Version 3")
--- a/security/manager/pki/resources/content/certViewer.js
+++ b/security/manager/pki/resources/content/certViewer.js
@@ -87,38 +87,35 @@ function setWindowName() {
}
// Certificate usages we care about in the certificate viewer.
const certificateUsageSSLClient = 0x0001;
const certificateUsageSSLServer = 0x0002;
const certificateUsageSSLCA = 0x0008;
const certificateUsageEmailSigner = 0x0010;
const certificateUsageEmailRecipient = 0x0020;
-const certificateUsageObjectSigner = 0x0040;
// A map from the name of a certificate usage to the value of the usage.
// Useful for printing debugging information and for enumerating all supported
// usages.
const certificateUsages = {
certificateUsageSSLClient,
certificateUsageSSLServer,
certificateUsageSSLCA,
certificateUsageEmailSigner,
certificateUsageEmailRecipient,
- certificateUsageObjectSigner,
};
// Map of certificate usage name to localization identifier.
const certificateUsageToStringBundleName = {
certificateUsageSSLClient: "VerifySSLClient",
certificateUsageSSLServer: "VerifySSLServer",
certificateUsageSSLCA: "VerifySSLCA",
certificateUsageEmailSigner: "VerifyEmailSigner",
certificateUsageEmailRecipient: "VerifyEmailRecip",
- certificateUsageObjectSigner: "VerifyObjSign",
};
const PRErrorCodeSuccess = 0;
const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11;
const SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12;
const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -637,93 +637,87 @@ nsNSSCertificate::GetOrganizationalUnit(
UniquePORTString orgunit(CERT_GetOrgUnitName(&mCert->subject));
if (orgunit) {
aOrganizationalUnit = NS_ConvertUTF8toUTF16(orgunit.get());
}
}
return NS_OK;
}
+static nsresult
+UniqueCERTCertListToMutableArray(/*in*/ UniqueCERTCertList& nssChain,
+ /*out*/ nsIArray** x509CertArray)
+{
+ if (!x509CertArray) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ nsCOMPtr<nsIMutableArray> array = nsArrayBase::Create();
+ if (!array) {
+ return NS_ERROR_FAILURE;
+ }
+
+ CERTCertListNode* node;
+ for (node = CERT_LIST_HEAD(nssChain.get());
+ !CERT_LIST_END(node, nssChain.get());
+ node = CERT_LIST_NEXT(node)) {
+ nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert);
+ nsresult rv = array->AppendElement(cert, false);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ }
+
+ array.forget(x509CertArray);
+ return NS_OK;
+}
+
NS_IMETHODIMP
nsNSSCertificate::GetChain(nsIArray** _rvChain)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
NS_ENSURE_ARG(_rvChain);
mozilla::pkix::Time now(mozilla::pkix::Now());
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
UniqueCERTCertList nssChain;
- // We want to test all usages, but we start with server because most of the
- // time Firefox users care about server certs.
- if (certVerifier->VerifyCert(mCert.get(), certificateUsageSSLServer, now,
- nullptr, /*XXX fixme*/
- nullptr, /* hostname */
- nssChain,
- CertVerifier::FLAG_LOCAL_ONLY)
- != mozilla::pkix::Success) {
- nssChain = nullptr;
- // keep going
- }
-
- // This is the whitelist of all non-SSLServer usages that are supported by
- // verifycert.
- const int otherUsagesToTest = certificateUsageSSLClient |
- certificateUsageSSLCA |
- certificateUsageEmailSigner |
- certificateUsageEmailRecipient |
- certificateUsageObjectSigner;
- for (int usage = certificateUsageSSLClient;
- usage < certificateUsageAnyCA && !nssChain;
- usage = usage << 1) {
- if ((usage & otherUsagesToTest) == 0) {
- continue;
- }
+ // We want to test all usages supported by the certificate verifier, but we
+ // start with TLS server because most of the time Firefox users care about
+ // server certs.
+ const int usagesToTest[] = { certificateUsageSSLServer,
+ certificateUsageSSLClient,
+ certificateUsageSSLCA,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient };
+ for (auto usage : usagesToTest) {
if (certVerifier->VerifyCert(mCert.get(), usage, now,
nullptr, /*XXX fixme*/
nullptr, /*hostname*/
nssChain,
CertVerifier::FLAG_LOCAL_ONLY)
- != mozilla::pkix::Success) {
- nssChain = nullptr;
- // keep going
+ == mozilla::pkix::Success) {
+ return UniqueCERTCertListToMutableArray(nssChain, _rvChain);
}
}
- if (!nssChain) {
- // There is not verified path for the chain, however we still want to
- // present to the user as much of a possible chain as possible, in the case
- // where there was a problem with the cert or the issuers.
- nssChain = UniqueCERTCertList(
- CERT_GetCertChainFromCert(mCert.get(), PR_Now(), certUsageSSLClient));
- }
+ // There is no verified path for the chain, however we still want to
+ // present to the user as much of a possible chain as possible, in the case
+ // where there was a problem with the cert or the issuers.
+ nssChain = UniqueCERTCertList(
+ CERT_GetCertChainFromCert(mCert.get(), PR_Now(), certUsageSSLClient));
if (!nssChain) {
return NS_ERROR_FAILURE;
}
-
- // enumerate the chain for scripting purposes
- nsCOMPtr<nsIMutableArray> array = nsArrayBase::Create();
- if (!array) {
- return NS_ERROR_FAILURE;
- }
- CERTCertListNode* node;
- for (node = CERT_LIST_HEAD(nssChain.get());
- !CERT_LIST_END(node, nssChain.get());
- node = CERT_LIST_NEXT(node)) {
- nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert);
- array->AppendElement(cert, false);
- }
- *_rvChain = array;
- NS_IF_ADDREF(*_rvChain);
- return NS_OK;
+ return UniqueCERTCertListToMutableArray(nssChain, _rvChain);
}
NS_IMETHODIMP
nsNSSCertificate::GetSubjectName(nsAString& _subjectName)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
--- a/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
@@ -34,34 +34,34 @@ add_task(async function testEmailEndEnti
let win = await displayCertificate(cert);
checkUsages(win, ["Email Recipient Certificate", "Email Signer Certificate"]);
await BrowserTestUtils.closeWindow(win);
});
add_task(async function testCodeSignEndEntity() {
let cert = await readCertificate("code-ee.pem", ",,");
let win = await displayCertificate(cert);
- checkUsages(win, ["Object Signer"]);
+ checkError(win, "Could not verify this certificate for unknown reasons.");
await BrowserTestUtils.closeWindow(win);
});
add_task(async function testExpired() {
let cert = await readCertificate("expired-ca.pem", ",,");
let win = await displayCertificate(cert);
checkError(win, "Could not verify this certificate because it has expired.");
await BrowserTestUtils.closeWindow(win);
-});
-add_task(async function testIssuerExpired() {
- let cert = await readCertificate("ee-from-expired-ca.pem", ",,");
- let win = await displayCertificate(cert);
- checkError(win,
+ // These tasks may run in any order, so we run this additional testcase in the
+ // same task.
+ let eeCert = await readCertificate("ee-from-expired-ca.pem", ",,");
+ let eeWin = await displayCertificate(eeCert);
+ checkError(eeWin,
"Could not verify this certificate because the CA certificate " +
"is invalid.");
- await BrowserTestUtils.closeWindow(win);
+ await BrowserTestUtils.closeWindow(eeWin);
});
add_task(async function testUnknownIssuer() {
let cert = await readCertificate("unknown-issuer.pem", ",,");
let win = await displayCertificate(cert);
checkError(win,
"Could not verify this certificate because the issuer is " +
"unknown.");
@@ -79,25 +79,25 @@ add_task(async function testInsecureAlgo
});
add_task(async function testUntrusted() {
let cert = await readCertificate("untrusted-ca.pem", "p,p,p");
let win = await displayCertificate(cert);
checkError(win,
"Could not verify this certificate because it is not trusted.");
await BrowserTestUtils.closeWindow(win);
-});
-add_task(async function testUntrustedIssuer() {
- let cert = await readCertificate("ee-from-untrusted-ca.pem", ",,");
- let win = await displayCertificate(cert);
- checkError(win,
+ // These tasks may run in any order, so we run this additional testcase in the
+ // same task.
+ let eeCert = await readCertificate("ee-from-untrusted-ca.pem", ",,");
+ let eeWin = await displayCertificate(eeCert);
+ checkError(eeWin,
"Could not verify this certificate because the issuer is not " +
"trusted.");
- await BrowserTestUtils.closeWindow(win);
+ await BrowserTestUtils.closeWindow(eeWin);
});
add_task(async function testRevoked() {
// Note that there's currently no way to un-do this. This should only be a
// problem if another test re-uses a certificate with this same key (perhaps
// likely) and subject (less likely).
let certBlocklist = Cc["@mozilla.org/security/certblocklist;1"]
.getService(Ci.nsICertBlocklist);
@@ -105,17 +105,17 @@ add_task(async function testRevoked() {
"MBIxEDAOBgNVBAMMB3Jldm9rZWQ=", // CN=revoked
"VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="); // hash of the shared key
let cert = await readCertificate("revoked.pem", ",,");
let win = await displayCertificate(cert);
// As of bug 1312827, OneCRL only applies to TLS web server certificates, so
// this certificate will actually verify successfully for every end-entity
// usage except TLS web server.
checkUsages(win, ["Email Recipient Certificate", "Email Signer Certificate",
- "Object Signer", "SSL Client Certificate"]);
+ "SSL Client Certificate"]);
await BrowserTestUtils.closeWindow(win);
});
add_task(async function testInvalid() {
// This certificate has a keyUsage extension asserting cRLSign and
// keyCertSign, but it doesn't have a basicConstraints extension. This
// shouldn't be valid for any usage. Sadly, we give a pretty lame error
// message in this case.
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -85,28 +85,26 @@ const MOZILLA_PKIX_ERROR_REQUIRED_TLS_FE
const MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = MOZILLA_PKIX_ERROR_BASE + 12;
// Supported Certificate Usages
const certificateUsageSSLClient = 0x0001;
const certificateUsageSSLServer = 0x0002;
const certificateUsageSSLCA = 0x0008;
const certificateUsageEmailSigner = 0x0010;
const certificateUsageEmailRecipient = 0x0020;
-const certificateUsageObjectSigner = 0x0040;
// A map from the name of a certificate usage to the value of the usage.
// Useful for printing debugging information and for enumerating all supported
// usages.
const allCertificateUsages = {
certificateUsageSSLClient,
certificateUsageSSLServer,
certificateUsageSSLCA,
certificateUsageEmailSigner,
certificateUsageEmailRecipient,
- certificateUsageObjectSigner,
};
const NO_FLAGS = 0;
// Commonly certificates are represented as PEM. The format is roughly as
// follows:
//
// -----BEGIN CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_cert_keyUsage.js
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
@@ -11,18 +11,18 @@ var certdb = Cc["@mozilla.org/security/x
const caList = [ "ca-no-keyUsage-extension", "ca-missing-keyCertSign",
"ca-all-usages" ];
const eeList = [ "ee-no-keyUsage-extension", "ee-keyCertSign-only",
"ee-keyEncipherment-only", "ee-keyCertSign-and-keyEncipherment" ];
const caUsage = [ certificateUsageSSLCA ];
const allEEUsages = [ certificateUsageSSLClient, certificateUsageSSLServer,
- certificateUsageEmailSigner, certificateUsageEmailRecipient,
- certificateUsageObjectSigner ];
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient ];
const serverEEUsages = [ certificateUsageSSLServer,
certificateUsageEmailRecipient ];
const expectedUsagesMap = {
"ca-no-keyUsage-extension": caUsage,
"ca-missing-keyCertSign": [],
"ca-all-usages": caUsage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -31,34 +31,30 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageObjectSigner);
// Test of active distrust. No usage should pass.
setCertTrust(cert_to_modify_trust, "p,p,p");
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageObjectSigner);
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
setCertTrust(cert_to_modify_trust, "T,T,T");
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
@@ -71,69 +67,60 @@ function test_ca_distrust(ee_cert, cert_
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageObjectSigner);
// Now tests on the SSL trust bit
setCertTrust(cert_to_modify_trust, "p,C,C");
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
// XXX(Bug 982340)
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageObjectSigner);
// Inherited trust SSL
setCertTrust(cert_to_modify_trust, ",C,C");
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
// XXX(Bug 982340)
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageObjectSigner);
// Now tests on the EMAIL trust bit
setCertTrust(cert_to_modify_trust, "C,p,C");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageObjectSigner);
// inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, "C,,C");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
@@ -141,18 +128,16 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageObjectSigner);
}
function run_test() {
let certList = [
"ca",
"int",
"ee",
@@ -186,24 +171,20 @@ function run_test() {
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
- certificateUsageObjectSigner);
// Now make a CA trust anchor available.
setCertTrust(ca_cert, "CTu,CTu,CTu");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageObjectSigner);
}
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -20,18 +20,18 @@ function test_cert_for_usages(certChainN
}
let cert = certs[0];
return asyncTestCertificateUsages(certdb, cert, expected_usages);
}
add_task(async function() {
let ee_usages = [ certificateUsageSSLClient, certificateUsageSSLServer,
- certificateUsageEmailSigner, certificateUsageEmailRecipient,
- certificateUsageObjectSigner ];
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient ];
let ca_usages = [ certificateUsageSSLCA ];
let eku_usages = [ certificateUsageSSLClient, certificateUsageSSLServer ];
// Load the ca into mem
let ca_name = "ca";
load_cert(ca_name, "CTu,CTu,CTu");
await test_cert_for_usages([ca_name], ca_usages);
